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Good Morning Chairman Hurd and Chairman Meadows, Ranking Members Kelly and Connolly 
and Members of the Committee. Thank you for giving me the opportunity to discuss the 
Department of Health and Human Services’ (HHS) progress in meeting the objectives defined by 
the Federal Information Technology Acquisition Reform Act (FITARA). HHS testified in June 
2017 about the status of FITARA implementation, and we appreciate the opportunity to return 
and share the transformative gains we’ve made with our effort in less than two years. 


Advancing Agency Mission through improved IT Management 

I currently serve as the Department’s Chief Technology Officer and Acting Department Chief 
Information Officer (CIO). I report directly to the Secretary of Health and Human Services. The 
synergy and partnership across HHS’s C-suite of senior policy officials - the Secretary, Deputy 
Secretary, Assistant Secretary for Administration, and the Assistant Secretary for Financial 
Resources ensures that HHS’s IT-related matters receive the appropriate attention, and benefit 
from senior policy leadership direction and support. Furthermore, I collaborate with HHS’s 
Chief Financial Officer, Chief Human Capital Officer, Chief Acquisition Officer and Operating 
Division CIOs, to ensure that our fiscal year 2019 IT spend of approximately $6.IB is secure, 
well-managed and supports HHS’s mission and business operations. FITARA provides specific 
areas of priority focus for IT portfolio management, and as a result of the law, HHS took steps to 
enhance the roles and responsibilities of the HHS CIO, increasing CIO visibility across the 
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Department and ensuring that the CIO is an active participant and provides approval of IT 
spending during the HHS IT budget process. At HHS, FITARA provides a foundation for cross- 
departmental engagement and fosters a governing framework through which we build common 
strategic direction for IT enablement of operations and mission results. As noted in the House 
Oversight and Government Reform FITARA Scorecard 6.0 - HHS improved in four of the five 
FITARA 5.0 metrics - bringing those scores to an “A” rating. But it is the real and meaningful 
results that make HHS’s FITARA journey remarkable, as exemplified by HHS’s collaborative 
and data-driven approach which delivered the Department’s first software inventory. Such 
results would not have been possible without Senior Policy Official leadership and support, 
collaboration across HHS’s CIO, CFO and CAO communities, and partnerships with GAO, 

OMB and Congressional staff. 


Approach to Successful FITARA Implementation— Targeted Improvement Initiatives 

Immediately after HHS testified before this Committee at the release of FITARA Scorecard 4.0 
in June 2017, HHS paused to analytically review the FITARA legislation, assess our FITARA 
implementation plan and identify opportunities to strengthen our approach to executing both the 
spirit and intent of the law. 

As the principal agency for protecting the health and well-being of all Americans, we know that 
the public counts on us to deliver essential health and human services, foster scientific advances, 
and support efforts to strengthen and modernize the Nation’s healthcare delivery system. 
Efficient and modem information technology is the foundation and catalyst for successful 
delivery of these mission-critical programs, and FITARA provides the governing and 
collaborative construct to ensure that we invest and manage our technology in the most effective 
and efficient manner possible. HHS’s revitalized approach to FITARA implementation gave the 
entire Department the opportunity to use data to deliver meaningful results that improved HHS’s 
IT governance, management, and strategic investments. 

HHS galvanized our internal CIO Community and Department-wide policy officials through 
FITARA Scorecard initiative, called “A by May,” publicly announced by the HHS Assistant 
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Secretary for Administration (ASA), on August 23, 2017. The initiative elevated the importance 
of meeting FITARA objectives and paved the way for Agency-wide participation in 
improvement efforts. HHS developed a methodology to execute the “A by May” initiative, 
focused on the three core components of data, dialogue, and delivery (D3) to initiate real change. 
“A by May” and the “D3” approach were successful in that we engaged an audience to deliver 
measurable results. HHS’s D3 strategy incorporated tactical and strategic activities to ensure 
that the Department writ-large understood the importance of FITARA and the value it provides 
when fully implemented. Key HHS actions included: 

• Data - creating an internal FITARA scorecard, holding FITARA analytic discussions and 
road shows, developing an annual CIO Work Plan based on achievement of FITARA 
outcomes; embracing and refreshing our approach to transparency and risk management 
to acknowledge the inherent risk to mission critical projects and targeting high-dollar 
investments with low risk ratings. 

o Results achieved based on HHS’s data-driven activities include: HHS’s 

recognition of IT investment risk rose from 11% of investments in September 
2017 to 40% in January 2018, representing $2.37 billion in IT investments with a 
moderate to high risk association. Acknowledgment of these inherent risks has 
positively impacted the Department’s FITARA Transparency and Risk score. By 
May 2018, HHS categorized 93% of its Major Investments as moderate or high 
risk and achieved an “A” for this element on the Scorecard 6.0. 

• Dialogue - HHS instituted bi-weekly and monthly communications with Operating 
Division CIOs to discuss FITARA requirements, and to support actions to achieve those 
targets. HHS also established a monthly cadence of briefings with OMB, GAO and the 
Assistant Secretary for Administration to apprise these partners of our activities and 
progress. Finally, HHS ensured senior policy leadership’s awareness of FITARA 
activities through routine communication with the Deputy Secretary and his staff. A key 
component to these conversations focused on deepening HHS’s understanding of the 
letter and intent of the law. Through dialogue, HHS expanded understanding of FITARA 
such that it was no longer perceived as an “IT Law” but rather a law designed to support 
mission and business operations through the effective use of technology. 
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o We identified, captured, and reported costs avoided or saved through: use of 
shared services, commodity and consolidated IT acquisitions, adoption of the 
cloud; among others approaches, 
o Delivering Real Change - Software Licensing 

o In accordance with FITARA, the Making Electronic Government Accountable by 
Yielding Tangible Efficiencies (MEGABYTE) Act of 2016, OMB memoranda 
M-16-12 and GAO Report 14-413, HHS developed its first foundational software 
license inventory, consisting of over 12,000 software entries, representing over 4 
million software licenses. In February of 2018, the Office of the CIO first 
collected and integrated automated data from the Continuous Diagnostics and 
Mitigation tool for a sample of HHS licenses. This foundational inventory is 
regularly updated through the quarterly Integrated Data Collection (IDC) and is 
used to support deliberations related to investments and opportunities for greater 
use of enterprise license agreements. 


Modernizing Government Technology Legislation and IT Modernization 

HHS fully supports the spirit and intent of the Modernizing Government Technology (MGT) 
provisions in the National Defense Authorization Act for Fiscal Year 2018, P.L. 115-91, to 
improve HHS technology. 

We believe that HHS’s Nonrecurring Expenses Fund (NEF) provides HHS the ability to meet the 
goals of the MGT legislation's IT Working Capital Fund under current law. The Consolidated 
Appropriations Act, 2008 (Pub. L. 110-161)established the NEF to enable HHS to use expired 
balances of discretionary appropriations for capital acquisitions needed by HHS programs, which 
HHS has used primarily for laboratory and research facilities, Indian Health Service health 
facilities, and information technology systems. 

IT work funded to date includes improving cybersecurity; modernizing systems for accounting, 
human resources, and contract writing; moving IT systems to the cloud; automating Medicare 
appeals processes; and establishing modem IT systems at the Centers for Medicare & Medicaid 
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Services. The NEF provides HHS resources for making important system upgrades, 
modernizing IT infrastructure, and procuring capital for the acquisition of mission-critical 
information technology and facilities. HHS remains committed to the spirit and intent of the 
MGT legislation, and its Office of the Chief Information Officer (OCIO) and Office of the Chief 
Technology Officer (OCTO) are working collaboratively to develop a new process for 
prioritizing IT modernization projects for which OCIO/OCTO would recommend investment. 


Federal Information Security Modernization— Cybersecurity Cross-Agency Priorities 

HHS continues to work towards improving its cybersecurity metric as represented in the 
Scorecard. We have been focused on improving our overall cyber posture and to better 
understand the two separate components that constitute the score - one that reflects the Federal 
Information Security Modernization Act of 2014 (FISMA) Cross-Agency Priorities (CAP) data 
reported by HHS and its operating divisions, and the other derived from the HHS Office of 
Inspector General’s annual FISMA audit. While we understand the OIG data will remain static 
since the IG conducts assessments annually, we also reali z e the CAP metrics can change from 
quarter to quarter. HHS has been and remains focused on ensuring that the Department complies 
with FISMA requirements and meets all expected cybersecurity metrics included in the Inspector 
General (IG) Annual Audit report and the President’s Management Agenda Cybersecurity Cross- 
Agency Priorities (CAP). 

Under FISMA and the legislation which preceded it, we understand that all Federal agencies 
must implement and maintain a robust cybersecurity program. As a result, I take ownership in 
understanding that as CIO, I am responsible for ensuring that cybersecurity is addressed at HHS. 

I work closely with the HHS Chief Information Security Officer (CISO), who is responsible for 
developing and maintaining the Department’s information security and privacy program. 
Additionally, through a delegated authority, each HHS Operating Division CIO is responsible for 
establishing, implementing, and enforcing its division-wide framework to facilitate its 
information security program. These frameworks feed HHS overall compliance with FISMA 
initiatives, goals and metrics. 
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While FISMA performance is difficult to trend year-over-year due to changing CAP goals and 
metrics, HHS continues to improve performance against FISMA metrics. HHS improved 
compliance against one of the three CAP goals which remained consistent year-over-year. These 
results demonstrate our commitment to key cybersecurity capabilities such as hardware asset 
management, mobile device management, protecting against data exfiltration, and protecting our 
high value assets. These efforts to manage risk may not be reflected in our current scoring. 
Furthermore, the Department also takes actions in response to audit findings. 

HHS and its operating divisions are embracing actions that seek to improve FISMA performance 
while increasing adherence to basic cyber hygiene practices, to not only yield greater compliance 
with existing legislative requirements and reporting requirements but also strengthen the 
foundation for a robust HHS-wide risk management-driven cybersecurity framework and greatly 
reduce our cybersecurity risk exposure across the enterprise. 

While the Department continues to improve its information security program, opportunities 
remain to strengthen the overall program. The Department of Homeland Security’s Continuous 
Diagnostics and Mitigation (CDM) program continues to enable HHS to operationalize the goals 
of FISMA and gain near real-time understanding of not only our compliance with FISMA but of 
the cybersecurity risks our enterprise faces on a daily basis. We are bolstering these CDM 
capabilities with other tools to more holistically identify and remediate risk while also increasing 
cybersecurity training and awareness activities which strengthen the cybersecurity skills of our 
security professionals while stressing that basic cyber hygiene is everyone’s responsibility across 
HHS. 

Leveraging the “A by May” D3 (Data, Dialogue and Delivery) framework, the HHS is pleased to 
introduce the “Monitor, Maintain and Mature (M3)” initiative, to continue to engage HHS 
Operating Divisions and Staff Divisions around strategies to optimize performance on the IT 
Scorecard 7.0 metrics including: CIO Reporting, Data Center Optimization, FISMA 
Compliance, and Cybersecurity Cross-Agency Priorities, while establishing focus areas for the 
next iteration of the OGR IT Scorecard 8.0. Specifically, we will continue to use our data to 
provide internal HHS FITARA dashboards, host monthly FITARA Meetings with HHS CIOs 
and CISOs, maintain collaborative dialogue with GAO, and both IT and Cybersecurity 
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counterparts at OMB. We also plan to continue actionable discussion through M3-centered 
meetings and open dialogue to provide the necessary data and materials around the OGR 
Biannual IT Scorecard 7.0. 

Conclusion 

HHS is committed to achieving the goals set by FITARA and modernizing the Department’s IT 
systems, infrastructure, and processes. Using this framework for sustainable transformation, 
HHS will work towards creating an ecosystem based on collaboration where IT is viewed as both 
a resource and essential driver for achieving mission-critical objectives. The Department is 
confident we can leverage the enormous purchasing power of HHS and the Federal Government 
and expand upon existing shared services to obtain the best price on best-in-class IT acquisitions. 
This approach is designed to be both operationally effective and cost efficient in order to best 
serve HHS beneficiaries and the American taxpayers. While HHS continues to make significant 
strides in fully achieving all goals defined under FITARA, the Department recognizes that a 
sustainable approach requires a more complex path forward. HHS embraces the work and 
challenges that lie ahead. We look forward to continued collaboration with OMB, GAO, and the 
House Subcommittees on Information Technology and Government Operations to improve 
HHS’s FITARA performance. 
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Ed Simcox is the Chief Technology Officer (CTO) and Acting Chief Information Officer at the 
U.S. Department of Health and Human Services (HHS). As the CTO and Acting CIO at HHS, Ed 
provides leadership and direction to ensure that HHS effectively leverages data, technology and 
innovation to improve the lives of the American people and the performance of the operating 
divisions across the Department. Simcox has been working at the intersection of healthcare 
and technology for 18 years. 

Prior to joining HHS, Simcox served as the Healthcare Practice Leader at Logicalis, an 
international IT service provider and consultancy with over 300 healthcare clients in the United 
States. In this role, Simcox led the strategy, solution development, and consulting for the U.S. 
healthcare sector. He engaged with healthcare providers across the US in a consulting capacity 
and advocated for the liberation of healthcare data and telehealth adoption. 

Prior to joining Logicalis, Ed was director of U.S. healthcare strategy, partnerships, and product 
development for AT&T. Ed’s portfolio included emerging technologies and products supporting 
mHealth, telehealth, and health information exchange. 

Before joining AT&T, Ed held multiple leadership roles at Indiana University Health, a large U.S. 
healthcare system with 19 hospitals, 50 physician groups and annual revenue of over $6 billion. 
Simcox served as the Chief Technology Officer, and prior to that, the Director of Business 
Innovations, an internal innovation incubator and design lab. Simcox was awarded 
ComputerWorld's Laureate medal for leading a project that achieved $5 million in savings 
through the design and implementation of innovative IT solutions in the inpatient healthcare 
setting. During Simcox’s time as CTO, Indiana University Health received Hospitals and Health 
Networks' "Most Wired Hospital" award based in part on his team’s work with emerging 
technologies. 



Sheila O. Conley 


Ms. Conley serves as HHS's Deputy Assistant Secretary for Finance and Deputy Chief 
Financial Officer. She is responsible for leading the Department's financial 
accountability and stewardship efforts including: the preparation and audit of HHS' 
annual financial statements; modernizing the financial management systems 
portfolio; strengthening internal controls; and reducing improper payments in our 
largest programs. She also leads the Department's Enterprise Risk Management 
(ERM) program. 

Before joining HHS in 2006, Ms. Conley served as the Managing Director for Financial 
Policy, Reporting and Analysis at the U.S. Department of State from 2003 to 2006. 
She held positions of increasing responsibility at the Office of Management and 
Budget (OMB) between 1992 and 2003, where she was charged principally with 
leading government-wide implementation of the CFOs Act of 1990. 

Ms. Conley wasa senior manager with an international public accounting firm 
before entering Federal service, where she provided audit and financial 
management services for over 10 years to a wide range of clients. She has received 
many awards throughout her career including the Presidential Rank Award and HHS 
Distinguished Service Award. 

Ms. Conley is a certified public accountant in the District of Columbia, Fellow of the 
National Academy of Public Administration, and member of several professional 
associations. She obtained a bachelor's of business administration degree ( summa 
cum laude) from James Madison University. She is married and has three sons. 



